Maintaining control of the message seems to be the new strategy for the 21st century. It worked for President Bush in last year's election, and Microsoft seems to be applying it to security vulnerabilities.
I mentioned a couple of weeks ago that Microsoft managers were discussing their desire to keep details of security vulnerabilities out of the public eye on the grounds that releasing the details gives attackers more ammunition.
The timing for that column could not have been better because on November 8 -- the anniversary of Hitler's Beer Hall Putsch -- Microsoft and five other major players announced a programme that codifies the new information security order. Regular readers may note that I've tried to play both sides of this issue. Some of you may even remember that I called Novell's lack of details regarding its Padlock security fix for GroupWise justified under the circumstances. So why am I now calling for Microsoft to come clean?
It's not because Novell is paying me off or because Microsoft isn't paying me enough. Bribery jokes aside, I have a real beef with the New World InfoSec Order. It's one thing to withhold details about a catastrophic security hole until customers get a chance to roll out the patch, as Novell did with the Padlock fix. It's a completely different thing to make a general practice of holding back necessary information from your customers, which is what Microsoft and its allies are doing.
Reader Stephen Satchell commented on the November 5 column as follows:
"I understand why Microsoft's Scott Culp said what he said. Unfortunately, Mr Culp's comment assumes that a system admin is running just servers.
"One reason to publish the exploits as they are uncovered is that there are multiple methods that can be used to protect servers from vulnerabilities. Fixing the server is only one way. Another is to use upstream filters/proxies -- indeed, several of the sites I [work with] turned off Code Red by using upstream and 'cross-stream' filters to compartmentalise the problem. Instead of turning off everything for days, the compartmentalisation meant that services would be disrupted on a schedule for a shorter time and that the results could be measured. This proved very important when a 'clean' compartment proved not to be -- due to a server that had been disconnected but not disinfected properly.
"My job is to keep my customers going. I need full exploit information, including running examples when available, to ensure that the fixes I put in place while the vendors do their updates keep the networks alive. Does Microsoft want to assume the liability for my not being able to do that?"
Thanks. I couldn't have said it better myself.